si3t.ch

# Tips, FAQ, comments...

## About apu2

(HTM) apu2 is a great board that require few power and well supported by OpenBSD.

However, you can't plug it to a screen but have to use the serial port to install and do admin task. Actually, it may be a good thing if you already have a laptop and don't want to buy an extra screen and keyboard.

Even though apu2 are not build anymore, we will talk here about apu2 tips, also useful for other boards with a serial port.

For the record, this documentation is hosted on an apu2d0.

### Get to the apu2 console

Plus the usb dongle or directly the serial cable to a computer. To get to the serial console, you can run on OpenBSD :

```
cu -s 115200 -l /dev/cuaU0
```

You should run the above as root or add your username to "dialer" group before:

```
doas usermod -G dialer $(whoami)
```

### Install OpenBSD on APU2

Just proceed as usual with an USB key as installation media. In the console, before booting, add the following options so the installer knows we're in serial console :

```
boot>
stty com0 115200
set tty com0
```

No need to do if afterwards, the installer save this option.

### Upgrade apu2 bios

You can flash the firmware with flashrom tool :

```
# pkg_add flashrom
```

Now read /usr/local/share/doc/pkg-readmes/flashrom for up-to-date instructions.

## Check file checksum

When you transfer files, you may ensure the authenticity of data.

To do so, computing a file checksum is useful. Use the sha256 command:

```
$ sha256 debian-9.6.0-amd64.qcow2.gz
SHA256 (debian-9.6.0-amd64.qcow2.gz) = 91831ba15446f3ab418ae8a5c2a8ac0d852dc5d43bd595a70b88bd6ea4ded397
```

Do the same on both ends: the output must be the same.

Notice that on GNU/Linux, sha256 don't exist. Its equivalent is sha256sum.

If you are paranoid, you can go further and check signatures with signify tool.

## How to change password

Use passwd command:

```
# passwd jdoe
```

To change superuser password, you have to make sure to be correctly logged with appropriate environment variables. To do so, use -l flag:

```
# su -l
# passwd root
```

## Periodic tasks (cron)

Everything is ready on OpenBSD to run tasks periodically. You can edit the following scripts:

* /etc/daily.local
* /etc/weekly.local
* /etc/monthly.local

Make sure you use the full path of commands you need to run as PATH variable can be different than your user's. As example:

```
echo "You are so handsome" | mail -s "Hi" root # Not OK

echo "You are so handsome" | /usr/bin/mail -s "Hi" root # GOOD
```

Use which command_name to find absolute paths.

If you need more accurate timing, use cron.

Enter crontab -e and edit the file to specify when the user will run automatically a command. As example, to run it hourly (actually, every time the clock display "0 minutes"):

```
0 * * * * /path/to/command
```

With the example below, the command is run every 5 minutes:

```
*/5 * * * * /path/to/command
```

To learn more, read man crontab(5) manpage.

(HTM) Look at this website to help you writing crontasks.

crontabs are very handy 😎.

## Disk Partitioning

If you need to set up another disk, we describe here how to prepare it.

⚠ Notice all this can be achieved after disk encryption and having a RAID identified as sd1 later.

### Identifiy the disk

Plug the disk and run dmesg. You'll see something like that:

```
umass0 at uhub0 port 1 configuration 1 interface 0 "Western Digital Ext HDD 1021" rev 2.00/20.21 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <WD, Ext HDD 1021, 2021> SCSI2 0/direct fixed serial.10581021383235373034
sd1: 1907727MB, 512 bytes/sector, 3907024896 sectors
```

Here, the disk is identified as sd1. Adjust according to your case later.

### Partitioning

Actually, we create slices with disklabel:

```
# disklabel -E sd1
```

A prompt show up. Now we can create slices.

When in doubt, enter p to display the current state.

To create the first slice, enter a a. It means "Add a slice a".

Let default offset. Set the size according to your needs. To do so, you may use :

* An unit: 4G;
* A disk percentage: 50%;
* A percentage of remaining free space: 25&.

Choose filesystem "4.2BSD".

Add more slices if you want with a d, a e, a f...

⚠ Notice you can't create a c slice since it's reserved to identify the whole disk. Also, b is often used for swap, but it's not mandatory.

Once done, enter q to exit and apply changes.

Now enter disklabel sd1 to see disk state:

```
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Ext HDD 1021
duid: 782f1ddb783cdd13
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 243201
total sectors: 3907024896
boundstart: 64
boundend: 3907024065
drivedata: 0

16 partitions:
# size offset fstype [fsize bsize cpg]
a: 629153472 64 4.2BSD 4096 32768 1
d: 3277870464 629153536 4.2BSD 8192 65536 1
c: 3907024896 0 unused
```

Notice the duid:

```
duid: 782f1ddb783cdd13
```

You can use it later to identify the disk and avoid confusions if there are several. You can find it also with this command:

```
# sysctl hw.disknames
hw.disknames=wd0:bfb4775bb8397569,cd0:,wd1:56845c8da732ee7b,wd2:f18e359c8fa2522b
```

You're almost done, you still have to create the filesystem for each slices:

```
# newfs /dev/rsd1a
# newfs /dev/rsd1d
```

Don't forget the "r" 😉

Now you can edit /etc/fstab to mount the previous slices easyly. Notice the use of the previous duid:

```
...
782f1ddb783cdd13.a /home/prx/music/ ffs rw,noatime,nodev,nosuid,noauto 0 0
782f1ddb783cdd13.d /mnt/backup/ ffs rw,noatime,nodev,nosuid 1 2
```

That's a lot of options, you'll learn more in man fstab(5).

In this example:

* The first slice is mounted on a directory /home/prx/music. The noauto flag avoid auto-mounting at boot. 0s disable filesystem check at reboot. It is probably an external drive not always plugged.
* The second slice is mounted on /mnt/backup at each boot.

To mount every mountpoint listed in /etc/fstab, enter:

```
# mount -a
```

## How to find my network interface ?

Use ifconfig command.

Your interface might have an inet (IP) and might belong to egressgroup.

As example:

```
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
re0: flags=218843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,MPSAFE,AUTOCONF6> mtu 1500
lladdr fc:aa:14:65:5f:86
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
priority: 0
groups: pflog
```

Here, "lo0" is not the interface we're looking for: it's local interface used by some program. "enc0" and "pflog0" are not our interface, they are respectively the encrypted interface used by IKED and pf logging inteface.

It remains "re0", the ethernet as written in "media" section.

## Logs

Your server keep records of its activity. It is often stored in text files called "logs". You can find most of them in /var/log and /var/www/logs.

You'll consider amongst others:

* /var/log/authlog: every login attempts, using ssh as example.
* /var/log/daemon: most daemon logs running in background. It is useful to see why one of them is malfunctioning.
* /var/log/maillog: mail server activity.
* /var/log/messages: system messages, interesting to read besides daemon.
* /var/log/php-fpm.log: PHP logs of course 😁

There are more.

I advice to read them from time to time to check everything works as expected. You can see them in realtime with the following command:

```
tail -f /var/log/messages /var/log/daemon /var/log/maillogs /var/log/authlog
```

Soon, you'll notice new files ending with ".0.gz", ".1.gz"... Those are archived logs. To avoid endlessly growing logs, OpenBSD run periodically "newsyslog" command and compress archives if necessary.

You can configure newsyslog if you edit /etc/newsyslog.conf. You may add new lines if an application create logs not listed:

```
...
/var/log/messages 644 5 300 * Z
/var/log/authlog root:wheel 640 7 * 168 Z
...
```

As usual, read man newsyslog(8) to learn more about this file.

## Check for improvements with lynis

(HTM) Lynis is a tool to scan your system looking for improvements in terms of security.

```
# pkg_add lynis
# lynis audit system
```

You'll see a lot of messages. Read /var/log/lynis-report.dat carefully then:

```
# less /var/log/lynis-report.dat
```

As example, you may read:

To filter for suggestions:

```
# grep suggestion /var/log/lynis-report.dat
```

## How to deal with power loss ? Where my mails are going ?

Well, that happens...

You can buy an uninterruptible power supply (UPS). It's a kind of backup battery where you plug your server and router. in case of powerloss, the UPS keep your server running giving about 20 minutes or more to shutdown properly or find another solution.

In case a daemon crashed because of some bug, OpenBSD notice in its daily report daemons that should be running but aren't. You can check then.

So, no big deal if sometimes your server is down.

> What happens when a mail server is, for some reasons, unreachable ?

SMTP protocol is designed to be reliable.

If your server is unreachable when someone tries to send you an email, things happens like in real life : the mailmain try again after some time. After trying, it may give up, sending a message to the author indicating there is a problem with the recipient.

There are no rules about time between each periodic delivery attemps. Each 4h, then each days, depending on the sender's configuration. It may give up after a week however.

To prevent the worst case where your server has burned, configure a backup mail server -- secondary -- so it keeps your emails while you are fixing your server. It is described in the mail part of this documentation.

## I have a problem, what can I do ?

### Daemon issue

If a daemon isn't starting, try starting it by hand to see errors ouput. As example, with httpd, you can enter:

```
rcctl -d start http
```

### Read Manpages

Check the manpage of the tool having an issue.

Look into /usr/local/share/doc/pkg-readmes if there are specific instructions.

### Problem with a port/package

Use pkg_check command to fix the state of your ports usage.

### Look into logs

Look at logs with tail command to see if there are error messages :

```
# tail -f /var/log/messages /var/log/daemon
```

For a website:

```
# tail -f /var/www/logs/*
```

For login issues:

```
# tail -f /var/log/authlog
```

Also, run dmesg to see if a device has an issue.

### Check what the Firewall is doing

Look at firewall traffic with tcpdump to see where it's failing:

```
# tcpdump -n -e -ttt -i pflog0
```

### Corrupted filesystem or loop reboots

Try to boot on the ramdisk bsd.rd.

```
boot> bsd.rd [Enter]
```

Then choose to reinstall sets with U: Upgrade or use the shell to fix filesystem with fsck.

You also can boot on a disk prepared with "minirootXX.img".

Then choose S : Shell.

Look after your disk with dmesg. In this example, we use sd1.

Make sure it is ready with:

```
cd /dev && sh MAKEDEV sd1
```

Then, check and fix the filesystem:

```
fsck -y sd1a
fsck -y sd1d
```

Do it for each slices. Use disklabel sd1 to list them.

### Ask for help

(HTM) Ask on official mailing list

(BIN) Talk on XMPP room

## Generate good random passwords

> The longer the better !

The more combinations a cracking tool will have to try, the more secure is your passphrase.

You may:

* Turn a sentence into a password. As example : Sniffingpeppermakemecoughalo
* Turn a few letters in the sentence : Sn1ffingp3ppermakemec0ugal0t.

You can use OpenBSD's tools to generate random passwords. Below are examples for 15 charater long passwords:

```
$ openssl rand 15 -base64

$ dd if=/dev/urandom count=128 bs=1M 2>&1 | md5 | cut -b-15

$ jot -rcs 20 32 126

$ tr -cd ' -~' < /dev/urandom
# only alnum
$ tr -cd '[:alnum:]' < /dev/urandom
```

Here are some interesting links on the topic:

(HTM) https://m.xkcd.com/936/
(BIN) Password strenght XKCD

## Split and reassemble files

If y ou have huge files to transfer, you can split them.

```
$ gzip -c big_file | split -b 100m - big_file.gz
```

You get max 100mb files sorted alphabetically :

```
$ ls -l
-rw-r--r-- 1 xavier xavier 104857600 Dec 12 16:52 big_file.gzaa
-rw-r--r-- 1 xavier xavier 104857600 Dec 12 16:52 big_file.gzab
-rw-r--r-- 1 xavier xavier 88204071 Dec 12 16:52 big_file.gzac
```

To recreate the original file, use cat:

```
cat big_file.gz_* | gunzip -c > big_file
```

Nice isnt it ? 😎

## How to add/delete users?

### Add user

Creating users let you :

* Get a login for ssh access
* Create a new mail address
* Split privileges
* ...

According to the user's taks, you won't create the account the same way.

* Leave defaults for an user with SSH access
* You can add an user to a group to manage groups permissions for multiple user at once.
* You can set a fake shell if you want to disable shell access for an user: /sbin/nologin.

To add an user, use adduser. It is interactive istead of useradd. Yeah, I know...

That's how it looks like:

```
root@votreserveur[~] # adduser
Use option '-silent' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: toto
Enter full name []: Jean-Eudes
Enter shell csh ksh nologin sh [nologin]: nologin
Uid [1005]:
Login group toto [toto]:
Login group is toto. Invite toto into other groups: guest no
[no]:
Login class authpf bgpd daemon default dovecot pbuild staff unwind
[default]:
Enter password []:
Enter password again []:

Name: toto
Password: ***************
Fullname: Jean-Eudes
Uid: 1005
Gid: 1005 (toto)
Groups: toto
Login Class: default
HOME: /home/toto
Shell: /sbin/nologin
OK? (y/n) [y]: y
Added user toto
Add another user? (y/n) [y]: n
Goodbye!
```

Make sure to set a good passphrase.

### Delete an user

```
# userdel toto
# groupdel toto
```

Here you go! 😊

---

(DIR) Table of contents
(BIN) Donate

---
(DIR) /